OK, thanks. Since currently some http SpiceDB #spicedb

OK, thanks. Since currently some http

felix.yuan

10/31/2023, 2:03 AM

OK, thanks. Since currently some http api cannot be used in http side, so also I tried the gRPC api. However I found that the insecure gRPC cannot connect to a non-localhost address. I setup the authzed in docker-compose and expose the 50051 port to docker host. I wrote a python script and succeed to connect the gRPC in docker host using localhost:50051, but failed if change the host to "authzed:50051" in a docker-compose peer container. I have setup the --grpc-addr 0.0.0.0:50051. The error is

debug_error_string = "UNKNOWN:failed to connect to all addresses; last error: UNKNOWN: ipv4:192.168.0.7:50051: Endpoint is neither UDS or TCP loopback address. {created_time:"2023-10-31T01:32:36.85531+00:00", grpc_status:14}"

. Any clue on this?

Joey

10/31/2023, 2:06 AM

you'll need a custom client if you want to connect insecure to non-localhost

Joey

10/31/2023, 2:07 AM

Copy code

class TokenAuthorization(ClientInterceptor):
    def __init__(self, token: str):
        self._token = token

    def intercept(
        self,
        method: Callable,
        request_or_iterator: Any,
        call_details: grpc.ClientCallDetails,
    ):
        metadata = [("authorization", f"Bearer {self._token}")]
        if call_details.metadata is not None:
            metadata = metadata.extend(call_details.metadata)

        print("final metadata: ", metadata)

        new_details = ClientCallDetails(
            call_details.method,
            call_details.timeout,
            metadata,
            call_details.credentials,
            call_details.wait_for_ready,
            call_details.compression,
        )

        return method(request_or_iterator, new_details)


class CustomClient(Client):
    def __init__(
        self,
        target: str,
        token: str,
        options=None,
        compression=None,
    ):
        fake_credentials = grpc.local_channel_credentials()
        super().__init__(target, fake_credentials, options, compression)
        auth_interceptor = TokenAuthorization(token)

        insecure_channel = grpc.insecure_channel(target, options, compression)
        channel = grpc.intercept_channel(insecure_channel, auth_interceptor)
        SchemaServiceStub.__init__(self, channel)
        PermissionsServiceStub.__init__(self, channel)

felix.yuan

10/31/2023, 2:14 AM

Much appreciated, I will try

Joey

10/31/2023, 2:16 AM

for any real install, though, we highly recommend proper TLS

felix.yuan

10/31/2023, 2:18 AM

Our authzed api is used internally, never expose publicly, still recommend TLS?

Joey

10/31/2023, 2:18 AM

yes

Joey

10/31/2023, 2:18 AM

we also recommend using the operator if you're running on Kubernetes

felix.yuan

10/31/2023, 2:19 AM

sometimes on docker-compose, sometimes on k8s

felix.yuan

10/31/2023, 2:20 AM

We tested in docker-compose, and product environment is k8s

felix.yuan

10/31/2023, 2:21 AM

for TLS setup, I just need to set the

--grpc-tls-cert-path

and

--grpc-tls-key-path

Joey

10/31/2023, 2:22 AM

and make sure its signed to the hostname

Joey

10/31/2023, 2:22 AM

otherwise you'll need to provide a custom CA to the client

felix.yuan

10/31/2023, 2:24 AM

OK, thanks, I'll try the secure setup

Joey

10/31/2023, 9:27 PM

let me know if you have any other questions

corkrean

10/31/2023, 9:29 PM

We have a guide here that demonstrates how to deploy SpiceDB on EKS with TLS. You may find it useful even if you're not on EKS. https://authzed.com/docs/spicedb/deploy-on-eks

theconductor

11/17/2023, 9:14 PM

I've been using the

CustomClient

Joey provided and it's worked like a charm so far, thank you for that! I needed it to just do some preliminary testing of spicedb. Unfortunately, I noticed that it still gave the original "neither UDS or TCP" if I used the new

BulkCheckPermission

api – any idea as to why? Every other call I've made has gone through

Joey

11/17/2023, 9:46 PM

What version of SpiceDB?

theconductor

11/17/2023, 10:04 PM

1.25.0, using the 1.11.0 operator

theconductor

12/01/2023, 10:39 PM

^^ At the time of writing that message I was really quite clueless about a lot of this. Now I have some clues! The fix was simple, just needed to add a line to re-init the

ExperimentalService

, as was already done with the

SchemaService

and

PermissionsService

. The final subclass looks like this:

Copy code

python
class SpiceClient(Client):
    def __init__(
        self,
        target: str,
        token: str,
        options=None,
        compression=None,
    ):
        fake_credentials = grpc.local_channel_credentials()
        super().__init__(target, fake_credentials, options, compression)
        auth_interceptor = TokenAuthorization(token)

        insecure_channel = grpc.insecure_channel(target, options, compression)
        channel = grpc.intercept_channel(insecure_channel, auth_interceptor)
        SchemaServiceStub.__init__(self, channel)
        PermissionsServiceStub.__init__(self, channel)

        # ADDED THESE TWO LINES
        ExperimentalServiceStub.__init__(self, channel)
        WatchServiceStub.__init__(self, channel)

Joey

12/01/2023, 10:41 PM

that makes sense

Previous Next